ipsec
-----
.. osdx:cfgcmd:: vpn ipsec
.. raw:: html
Devices
VPN IP security (IPsec) parameters
.. osdx:cfgcmd:: vpn ipsec auth-profile
.. raw:: html
Devices
IPSec Authentication Profile
:arg id:
Name of the IPSec authentication profile
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets
.. raw:: html
Devices
Global secrets for local/remote peers
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets eap
.. raw:: html
Devices
EAP (Extensible Authentication Protocol) for local/remote peers
EAP-Identity to use in EAP-Identity exchange and the EAP method.
:arg id:
EAP identifier used against when authenticating
:instances: Multiple
:ref Required: vpn ipsec auth-profile * global-secrets eap * encrypted-secret *
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets eap encrypted-secret
.. raw:: html
Devices
:arg password:
Encrypted secret used by associated EAP identifier
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets eap secret
.. raw:: html
Devices
Secret used by associated EAP identifier
These characters are allowed to be used for setting the secret:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set pre-shared secret key is recommended. If you are
using special characters in the secret then single quotes are required.
Example usage: 'aA1-&!@,.:_2Bb'
:arg id:
Secret used when authenticating
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets ike-psk
.. raw:: html
Devices
IKE Pre-Shared Key for local/remote peers
:arg id:
Specific identity to use
:instances: Multiple
:ref Required: vpn ipsec auth-profile * global-secrets ike-psk * encrypted-secret *
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets ike-psk encrypted-secret
.. raw:: html
Devices
:arg password:
Encrypted secret used by associated IKE Pre-Shared Key identifier
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets ike-psk secret
.. raw:: html
Devices
Secret used by associated IKE Pre-Shared Key identifier
These characters are allowed to be used for setting the secret:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set pre-shared secret key is recommended. If you are
using special characters in the secret then single quotes are required.
Example usage: 'aA1-&!@,.:_2Bb'
:arg id:
Secret used when authenticating
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets ppk
.. raw:: html
Devices
PPK (Post-Quantum Pre-Shared Key) for local/remote peers
The PPK (Post-Quantum Pre-Shared Key) identifier used for authentication.
:arg id:
String identifying the Postquantum Preshared Key to be used
:instances: Unique
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets ppk encrypted-secret
.. raw:: html
Devices
:arg password:
Encrypted Post-Quantum Pre-Shared Key used by associated ID
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets ppk file
.. raw:: html
Devices
:arg file:
File containing the Post-Quantum Pre-Shared Key (PPK) to use
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets ppk secret
.. raw:: html
Devices
Post-Quantum Pre-Shared Key used by associated ID
These characters are allowed to be used for setting the secret:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set pre-shared secret key is recommended. If you are
using special characters in the secret then single quotes are required.
Example usage: 'aA1-&!@,.:_2Bb'
:arg id:
Secret used when authenticating
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets xauth
.. raw:: html
Devices
XAUTH (Extended Authentication) for both peers
Client XAuth username used in the XAuth exchange.
:arg id:
Client XAUTH username
:instances: Multiple
:ref Required: vpn ipsec auth-profile * global-secrets xauth * encrypted-secret *
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets xauth encrypted-secret
.. raw:: html
Devices
:arg password:
Encrypted secret used by associated XAUTH identifier
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets xauth secret
.. raw:: html
Devices
Secret used by associated XAUTH identifier
These characters are allowed to be used for setting the secret:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set the secret is recommended. If you are
using special characters in the secret then single quotes are required.
Example usage: 'aA1-&!@,.:_2Bb'
:arg id:
Secret used when authenticating
.. osdx:cfgcmd:: vpn ipsec auth-profile local
.. raw:: html
Devices
Local (left) authentication configuration
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth
.. raw:: html
Devices
Authentication method locally used
When a peer authenticates against us (as a server), a local authentication
method must be used. By default, it is "pubkey" (key-pair certificates)
and if not specified uses system certificates for authentication. This is done
in order to ensure that we are who we say (it is, to avoid spoofing attacks).
Another method is done by using a pre-shared key. Despite this is not as secure as
X.509 certificates, it will allow server identification and would serve for the
same purposes. Finally, there is also EAP (Extensible Authentication Protocol)
available, which allows authenticating users using a username/password.
:instances: Unique
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth eap
.. raw:: html
Devices
EAP (Extensible Authentication Protocol) for local/remote peers
Specify which EAP secret ID to use for authentication.
The actual secret must be defined in global-secrets/eap.
Notice that strongSwan magic values can be used (for example, "%any").
For more information, please refer to the VPN documentation.
:arg id:
EAP identifier/username/remote ID used against when authenticating
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth eap type
.. raw:: html
Devices
Type of EAP authentication to use. By default, it is guessed
Different kind of EAP authentication mechanisms can be used during identity
exchange. By default, the EAP method is guessed during IKE negotiation but you
can manually specify which one must be used.
:arg mschapv2:
EAP-Microsoft Challenge Handshake Authentication Protocol version 2
:arg tls:
EAP-TLS protocol handler, to authenticate with certificates in EAP
:arg ttls:
EAP-TTLS protocol handler, wraps other EAP methods securely
:arg md5:
EAP-MD5 protocol handler using passwords
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth ike-psk
.. raw:: html
Devices
IKE Pre-Shared Key for local/remote peers
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth ike-psk id
.. raw:: html
Devices
String identifying IKE Pre-Shared Key for local/remote peers
Specify which IKE Pre-Shared Key secret ID to use for local authentication.
This is used for authenticating peers during IKE negotiation. For more information, refer to the VPN documentation.
:arg id:
String identifying the IKE Pre-Shared Key to be used
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth radius
.. raw:: html
Devices
IPSec RADIUS based authentication
.. osdx:cfgcmd:: vpn ipsec auth-profile local ca-cert-file
.. raw:: html
Devices
:arg file:
local CA certificate file
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec auth-profile local cert-file
.. raw:: html
Devices
:arg file:
local certificate file
.. osdx:cfgcmd:: vpn ipsec auth-profile local cnm-certs
.. raw:: html
Devices
Licenses
local Cloud Network Manager (CNM) certificates
.. osdx:cfgcmd:: vpn ipsec auth-profile local crl
.. raw:: html
Devices
local Certificate Revocation List
.. osdx:cfgcmd:: vpn ipsec auth-profile local crl file
.. raw:: html
Devices
:arg file:
Local CRL file
.. osdx:cfgcmd:: vpn ipsec auth-profile local crl revocation
.. raw:: html
Devices
Revocation mode
:arg relaxed:
Auth fails, if certificate revoked
:arg strict:
Auth fails, if certificate revoked or if CRL cannot be loaded/downloaded
.. osdx:cfgcmd:: vpn ipsec auth-profile local crl url
.. raw:: html
Devices
:arg txt:
CRL file HTTP download URL
Will attempt to HTTP fetch this URL first, before attempting to fetch CRL URL
which is potentially defined within peer certificate. However will use
CRL URL defined within peer certificate as fallback, if fetch fails.
.. osdx:cfgcmd:: vpn ipsec auth-profile local csr
.. raw:: html
Devices
local Certificate Signing Request instance (SCEP)
:ref Reference: system certificate scep csr *
.. osdx:cfgcmd:: vpn ipsec auth-profile local id
.. raw:: html
Devices
Local subject DN or subjectAltName contained in the certificate
The local identity is what a peer expects to find when connecting using
the RSA certificate for authentication. This can be either an IP address, hostname or strongSwan "magic" variables
(such as "%any"). Please, refer to: https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing
for more information
:arg ipv4:
IPv4 address identity
:arg ipv6:
IPv6 address identity
:arg fqdn:
Fully qualified domain name identity
:arg %any:
Accept any remote identity
:arg id:
Any other value matching Identity Parsing rules
.. osdx:cfgcmd:: vpn ipsec auth-profile local key
.. raw:: html
Devices
local private key
:ref Required: vpn ipsec auth-profile * local key file *
.. osdx:cfgcmd:: vpn ipsec auth-profile local key encrypted-passphrase
.. raw:: html
Devices
:arg password:
Encrypted passphrase
.. osdx:cfgcmd:: vpn ipsec auth-profile local key file
.. raw:: html
Devices
:arg file:
Private key file
.. osdx:cfgcmd:: vpn ipsec auth-profile local key passphrase
.. raw:: html
Devices
:arg txt:
Passphrase for private key file
These characters are allowed to be used for the passphrase:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set the passphrase is recommended. If you are
using special characters in the passphrase then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
.. osdx:cfgcmd:: vpn ipsec auth-profile local pkcs12
.. raw:: html
Devices
local PKCS#12
:ref Required: vpn ipsec auth-profile * local pkcs12 file *
:ref Required: vpn ipsec auth-profile * local pkcs12 encrypted-passphrase *
.. osdx:cfgcmd:: vpn ipsec auth-profile local pkcs12 encrypted-passphrase
.. raw:: html
Devices
:arg password:
Encrypted passphrase
.. osdx:cfgcmd:: vpn ipsec auth-profile local pkcs12 file
.. raw:: html
Devices
:arg file:
PKCS#12 file
.. osdx:cfgcmd:: vpn ipsec auth-profile local pkcs12 passphrase
.. raw:: html
Devices
:arg txt:
Passphrase of PKCS#12 file
These characters are allowed to be used for the passphrase:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set the passphrase is recommended. If you are
using special characters in the passphrase then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
.. osdx:cfgcmd:: vpn ipsec auth-profile local ppk
.. raw:: html
Devices
PPK (Post-Quantum Pre-Shared Key) for local/remote peers
.. osdx:cfgcmd:: vpn ipsec auth-profile local ppk id
.. raw:: html
Devices
String identifying PPK (Post-Quantum Pre-Shared Key) for local/remote peers
Specify which PPK (Post-Quantum Pre-Shared Key) secret ID to use for local authentication.
:arg id:
String identifying the Postquantum Preshared Key to be used
.. osdx:cfgcmd:: vpn ipsec auth-profile local ppk required
.. raw:: html
Devices
Whether the PPK is required for the connection
.. osdx:cfgcmd:: vpn ipsec auth-profile local xauth
.. raw:: html
Devices
XAUTH (Extended Authentication) for local peers
.. osdx:cfgcmd:: vpn ipsec auth-profile local xauth id
.. raw:: html
Devices
String identifying XAUTH (Extended Authentication) secret to be used in local peers
Specify which XAUTH secret ID to use for local extended authentication.
This is used for Phase II authentication in IKEv1. For more information, refer to the VPN documentation.
:arg id:
String identifying the XAUTH secret to be used
.. osdx:cfgcmd:: vpn ipsec auth-profile mirror-config
.. raw:: html
Devices
Mirror one authentication side into the other, if not defined
When defining an authentication side (local/remote), you can opt-in for only
defining one of them. By default, the configuration is mirrored into the missing
side (only "auth") respecting already existing data. This way, authentication
profiles can be partially defined but with a fully working VPN connection
:arg true:
The existing profile is mirrored into the non-existing one
:arg false:
No mirroring is done. Notice that you must define both of them individually
.. osdx:cfgcmd:: vpn ipsec auth-profile remote
.. raw:: html
Devices
Remote (right) authentication configuration
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth
.. raw:: html
Devices
Authentication method used by connecting peer
When a peer authenticates against us (as a server), a remote authentication
method must be used. By default, it is "pubkey" (key-pair certificates)
which servers for the purpose of identifying the peer.
Another method is done by using a pre-shared key in which a key must be shared
for connecting. And finally it is possible to authenticate using the RADIUS,
usually based on a username/password.
:instances: Unique
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth eap
.. raw:: html
Devices
EAP (Extensible Authentication Protocol) for local/remote peers
Specify which EAP secret ID to use for authentication.
The actual secret must be defined in global-secrets/eap.
Notice that strongSwan magic values can be used (for example, "%any").
For more information, please refer to the VPN documentation.
:arg id:
EAP identifier/username/remote ID used against when authenticating
:arg %any:
Match any identity from configured secrets
:arg type:
Supported types are rfc822, email, userfqdn, fqdn, dns, asn1dn, and keyid. Regex starts with a caret character (^) and ends with a dollar sign ($). As example, "email:^.*@teldat.com$". Regular expressions can only be used to match remote identities, not as local identities. ()
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth eap type
.. raw:: html
Devices
Type of EAP authentication to use. By default, it is guessed
Different kind of EAP authentication mechanisms can be used during identity
exchange. By default, the EAP method is guessed during IKE negotiation but you
can manually specify which one must be used.
:arg mschapv2:
EAP-Microsoft Challenge Handshake Authentication Protocol version 2
:arg tls:
EAP-TLS protocol handler, to authenticate with certificates in EAP
:arg ttls:
EAP-TTLS protocol handler, wraps other EAP methods securely
:arg md5:
EAP-MD5 protocol handler using passwords
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth ike-psk
.. raw:: html
Devices
IKE Pre-Shared Key for local/remote peers
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth ike-psk id
.. raw:: html
Devices
String identifying IKE Pre-Shared Key for local/remote peers
Specify which IKE Pre-Shared Key secret ID to use when authenticating remote peers.
The strongSwan magic value "%any" can be used to match any remote peer identity.
Avoid using "%any" for local authentication as it may cause unpredictable secret matching.
This is used for authenticating peers during IKE negotiation. For more information, refer to the VPN documentation.
:arg id:
String identifying the IKE Pre-Shared Key to be used
:arg %any:
Match any remote peer identity
:arg type:
Supported types are rfc822, email, userfqdn, fqdn, dns, asn1dn, and keyid. Regex starts with a caret character (^) and ends with a dollar sign ($). As example, "email:^.*@teldat.com$". Regular expressions can only be used to match remote identities, not as local identities. ()
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth radius
.. raw:: html
Devices
IPSec RADIUS based authentication
.. osdx:cfgcmd:: vpn ipsec auth-profile remote ca-cert-file
.. raw:: html
Devices
:arg file:
remote CA certificate file
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec auth-profile remote cert-file
.. raw:: html
Devices
:arg file:
remote certificate file
.. osdx:cfgcmd:: vpn ipsec auth-profile remote cnm-certs
.. raw:: html
Devices
Licenses
remote Cloud Network Manager (CNM) certificates
.. osdx:cfgcmd:: vpn ipsec auth-profile remote crl
.. raw:: html
Devices
remote Certificate Revocation List
.. osdx:cfgcmd:: vpn ipsec auth-profile remote crl file
.. raw:: html
Devices
:arg file:
Local CRL file
.. osdx:cfgcmd:: vpn ipsec auth-profile remote crl revocation
.. raw:: html
Devices
Revocation mode
:arg relaxed:
Auth fails, if certificate revoked
:arg strict:
Auth fails, if certificate revoked or if CRL cannot be loaded/downloaded
.. osdx:cfgcmd:: vpn ipsec auth-profile remote crl url
.. raw:: html
Devices
:arg txt:
CRL file HTTP download URL
Will attempt to HTTP fetch this URL first, before attempting to fetch CRL URL
which is potentially defined within peer certificate. However will use
CRL URL defined within peer certificate as fallback, if fetch fails.
.. osdx:cfgcmd:: vpn ipsec auth-profile remote csr
.. raw:: html
Devices
remote Certificate Signing Request instance (SCEP)
:ref Reference: system certificate scep csr *
.. osdx:cfgcmd:: vpn ipsec auth-profile remote id
.. raw:: html
Devices
Remote subject DN or subjectAltName contained in the certificate
The remote identity is what a peer expects to find when connecting using
the RSA certificate for authentication. This can be either an IP address, hostname or strongSwan "magic" variables
(such as "%any"). Please, refer to: https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing
for more information
:arg ipv4:
IPv4 address identity
:arg ipv6:
IPv6 address identity
:arg fqdn:
Fully qualified domain name identity
:arg %any:
Accept any remote identity
:arg id:
Any other value matching Identity Parsing rules
.. osdx:cfgcmd:: vpn ipsec auth-profile remote key
.. raw:: html
Devices
remote private key
:ref Required: vpn ipsec auth-profile * remote key file *
.. osdx:cfgcmd:: vpn ipsec auth-profile remote key encrypted-passphrase
.. raw:: html
Devices
:arg password:
Encrypted passphrase
.. osdx:cfgcmd:: vpn ipsec auth-profile remote key file
.. raw:: html
Devices
:arg file:
Private key file
.. osdx:cfgcmd:: vpn ipsec auth-profile remote key passphrase
.. raw:: html
Devices
:arg txt:
Passphrase for private key file
These characters are allowed to be used for the passphrase:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set the passphrase is recommended. If you are
using special characters in the passphrase then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
.. osdx:cfgcmd:: vpn ipsec auth-profile remote pkcs12
.. raw:: html
Devices
remote PKCS#12
:ref Required: vpn ipsec auth-profile * remote pkcs12 file *
:ref Required: vpn ipsec auth-profile * remote pkcs12 encrypted-passphrase *
.. osdx:cfgcmd:: vpn ipsec auth-profile remote pkcs12 encrypted-passphrase
.. raw:: html
Devices
:arg password:
Encrypted passphrase
.. osdx:cfgcmd:: vpn ipsec auth-profile remote pkcs12 file
.. raw:: html
Devices
:arg file:
PKCS#12 file
.. osdx:cfgcmd:: vpn ipsec auth-profile remote pkcs12 passphrase
.. raw:: html
Devices
:arg txt:
Passphrase of PKCS#12 file
These characters are allowed to be used for the passphrase:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set the passphrase is recommended. If you are
using special characters in the passphrase then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
.. osdx:cfgcmd:: vpn ipsec auth-profile remote ppk
.. raw:: html
Devices
PPK (Post-Quantum Pre-Shared Key) for local/remote peers
.. osdx:cfgcmd:: vpn ipsec auth-profile remote ppk id
.. raw:: html
Devices
String identifying PPK (Post-Quantum Pre-Shared Key) for local/remote peers
Specify which PPK (Post-Quantum Pre-Shared Key) secret ID to use when authenticating remote peers.
:arg id:
String identifying the Postquantum Preshared Key to be used
:arg %any:
Match any remote peer identity
:arg regex:
Match any identity that match with the regular expression defined, such as ``*@teldat.com``
.. osdx:cfgcmd:: vpn ipsec auth-profile remote ppk required
.. raw:: html
Devices
Whether the PPK is required for the connection
.. osdx:cfgcmd:: vpn ipsec auth-profile remote xauth
.. raw:: html
Devices
XAUTH (Extended Authentication) for remote peers
:instances: Unique
.. osdx:cfgcmd:: vpn ipsec auth-profile remote xauth id
.. raw:: html
Devices
String identifying XAUTH (Extended Authentication) secret to be used in remote peers
Specify which XAUTH secret ID to use when authenticating remote peers with extended authentication.
The actual secret must be defined in global-secrets/xauth. The strongSwan magic value "%any"
can be used to match any remote peer identity.This is used for Phase II authentication in IKEv1. For more information, refer to the VPN documentation.
:arg id:
String identifying the XAUTH secret to be used
:arg %any:
Match any remote peer identity
:arg type:
Supported types are rfc822, email, userfqdn, fqdn, dns, asn1dn, and keyid. Regex starts with a caret character (^) and ends with a dollar sign ($). As example, "email:^.*@teldat.com$". Regular expressions can only be used to match remote identities, not as local identities. ()
.. osdx:cfgcmd:: vpn ipsec auth-profile remote xauth radius
.. raw:: html
Devices
IPSec RADIUS based authentication
.. osdx:cfgcmd:: vpn ipsec dmvpn-profile
.. raw:: html
Devices
Licenses
DMVPN IPSec Profile
:arg id:
Name of the DMVPN IPSec profile
:instances: Multiple
:ref Required: vpn ipsec auth-profile *
:ref Required: vpn ipsec esp-group *
:ref Required: vpn ipsec ike-group *
.. osdx:cfgcmd:: vpn ipsec dmvpn-profile auth-profile
.. raw:: html
Devices
Licenses
IPSec Authentication Profile
:ref Reference: vpn ipsec auth-profile *
.. osdx:cfgcmd:: vpn ipsec dmvpn-profile esp-group
.. raw:: html
Devices
Licenses
Esp group name
:ref Reference: vpn ipsec esp-group *
.. osdx:cfgcmd:: vpn ipsec dmvpn-profile ike-group
.. raw:: html
Devices
Licenses
Ike group name
:ref Reference: vpn ipsec ike-group *
.. osdx:cfgcmd:: vpn ipsec dmvpn-profile unique
.. raw:: html
Devices
Licenses
Peer uniqueness policy to enforce when the same identity establishes a new SA
:arg never:
No uniqueness enforcement. Ignores even INITIAL_CONTACT notifications from the peer. Allows duplicate SAs without restriction
:arg no:
Does not proactively check for duplicates, but does delete existing SAs if the peer sends INITIAL_CONTACT. Relies on the peer notifying the reconnection (default)
:arg replace:
Proactively checks for duplicates when a new SA is established. If a duplicate is found, destroys the old one and accepts the new one. Also reacts to INITIAL_CONTACT
:arg keep:
Proactively checks for duplicates. If a duplicate is found from a different IP, rejects the new connection and keeps the existing one. If the new peer sends INITIAL_CONTACT, the existing SA will be replaced regardless
.. osdx:cfgcmd:: vpn ipsec downloader
.. raw:: html
Devices
VPN downloader configuration
.. osdx:cfgcmd:: vpn ipsec downloader local-address
.. raw:: html
Devices
Local IP address to use as source for strongSwan downloads
:arg ipv4:
Local IPv4 address
:arg ipv6:
Local IPv6 address
:Local IP address:
.. osdx:cfgcmd:: vpn ipsec downloader local-interface
.. raw:: html
Devices
:arg ifc:
Interface to use as source for strongSwan downloads
.. osdx:cfgcmd:: vpn ipsec downloader local-vrf
.. raw:: html
Devices
VRF to use as source for strongSwan downloads
:ref Reference: system vrf *
.. osdx:cfgcmd:: vpn ipsec esp-group
.. raw:: html
Devices
:arg id:
Name of Encapsulating Security Payload (ESP) group
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec esp-group compression
.. raw:: html
Devices
ESP compression
.. osdx:cfgcmd:: vpn ipsec esp-group lifetime
.. raw:: html
Devices
ESP lifetime
:arg u32:
ESP lifetime (in seconds by default)
:instances: Unique
.. osdx:cfgcmd:: vpn ipsec esp-group lifetime MB
.. raw:: html
Devices
ESP lifetime to be in megabytes
.. osdx:cfgcmd:: vpn ipsec esp-group lifetime packets
.. raw:: html
Devices
ESP lifetime to be in packets
.. osdx:cfgcmd:: vpn ipsec esp-group lifetime seconds
.. raw:: html
Devices
ESP lifetime to be in seconds
.. osdx:cfgcmd:: vpn ipsec esp-group mark-in
.. raw:: html
Devices
Set an XFRM mark on the inbound policy
:arg unique:
Use a unique mark for each tunnel
:arg unique-dir:
Use a unique mark for each tunnel and direction (in/out)
:arg unique-only-nat:
Use a unique mark for each tunnel when NAT is detected
:arg same:
Use the same mark for all tunnels
:arg u32:
Mark value
.. osdx:cfgcmd:: vpn ipsec esp-group mark-out
.. raw:: html
Devices
Set an XFRM mark on the outbound IPsec SA and policy
:arg unique:
Use a unique mark for each tunnel
:arg unique-dir:
Use a unique mark for each tunnel and direction (in/out)
:arg unique-only-nat:
Use a unique mark for each tunnel when NAT is detected
:arg same:
Use the same mark for all tunnels
:arg u32:
Mark value
.. osdx:cfgcmd:: vpn ipsec esp-group mode
.. raw:: html
Devices
:arg id:
ESP mode
.. osdx:cfgcmd:: vpn ipsec esp-group proposal
.. raw:: html
Devices
ESP-group proposal [REQUIRED]
:arg u32:
ESP-group proposal number (1-65535)
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec esp-group proposal encryption
.. raw:: html
Devices
:arg id:
Encryption algorithm
.. osdx:cfgcmd:: vpn ipsec esp-group proposal hash
.. raw:: html
Devices
:arg id:
Hash algorithm
.. osdx:cfgcmd:: vpn ipsec esp-group proposal pfs
.. raw:: html
Devices
:arg id:
ESP Perfect Forward Secrecy
.. osdx:cfgcmd:: vpn ipsec esp-group replay-window
.. raw:: html
Devices
Replay Window Value
:arg u32:
Replay Window Value (0-32)
.. osdx:cfgcmd:: vpn ipsec esp-group vrf-mark-in
.. raw:: html
Devices
Set an XFRM mark on the inbound policy using a VRF
:ref Reference: system vrf *
.. osdx:cfgcmd:: vpn ipsec esp-group vrf-mark-out
.. raw:: html
Devices
Set an XFRM mark on the outbound IPsec SA and policy using a VRF
:ref Reference: system vrf *
.. osdx:cfgcmd:: vpn ipsec ike-group
.. raw:: html
Devices
:arg id:
Name of Internet Key Exchange (IKE) group
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec ike-group dead-peer-detection
.. raw:: html
Devices
Dead Peer Detection (DPD)
.. osdx:cfgcmd:: vpn ipsec ike-group dead-peer-detection action
.. raw:: html
Devices
Keep-alive failure action
:arg clear:
Set action to clear
:arg restart:
Set action to restart
:arg trap:
Set action to trap
.. osdx:cfgcmd:: vpn ipsec ike-group dead-peer-detection interval
.. raw:: html
Devices
Keep-alive interval
:arg u32:
Keep-alive interval in seconds (1-86400)
.. osdx:cfgcmd:: vpn ipsec ike-group dead-peer-detection timeout
.. raw:: html
Devices
Keep-alive timeout
:arg u32:
Keep-alive timeout in seconds (1-86400)
.. osdx:cfgcmd:: vpn ipsec ike-group ikev2-reauth
.. raw:: html
Devices
Re-authentication of the remote peer during an IKE re-key. IKEv2 option only
.. osdx:cfgcmd:: vpn ipsec ike-group key-exchange
.. raw:: html
Devices
:arg id:
Key Exchange Version
.. osdx:cfgcmd:: vpn ipsec ike-group lifetime
.. raw:: html
Devices
IKE lifetime
:arg u32:
IKE lifetime in seconds (30-4294967295)
.. osdx:cfgcmd:: vpn ipsec ike-group mobike
.. raw:: html
Devices
Enable MOBIKE Support. MOBIKE is only available for IKEv2.
.. osdx:cfgcmd:: vpn ipsec ike-group mode
.. raw:: html
Devices
IKEv1 Phase 1 Mode Selection
:arg main:
Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)
:arg aggressive:
Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.
.. osdx:cfgcmd:: vpn ipsec ike-group proposal
.. raw:: html
Devices
IKE-group proposal [REQUIRED]
:arg u32:
IKE-group proposal (1-65535)
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec ike-group proposal dh-group
.. raw:: html
Devices
:arg id:
Diffie-Hellman (DH) key exchange group
.. osdx:cfgcmd:: vpn ipsec ike-group proposal encryption
.. raw:: html
Devices
:arg id:
Encryption algorithm
.. osdx:cfgcmd:: vpn ipsec ike-group proposal hash
.. raw:: html
Devices
:arg id:
Hash algorithm
.. osdx:cfgcmd:: vpn ipsec interface
.. raw:: html
Devices
Network interfaces that should be used by IPSec. All other interfaces are ignored.
:arg txt:
IPSec interface
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec logging
.. raw:: html
Devices
IPsec logging
.. osdx:cfgcmd:: vpn ipsec logging log-types
.. raw:: html
Devices
Select log type
.. osdx:cfgcmd:: vpn ipsec logging log-types any
.. raw:: html
Devices
Apply log level to all existing types.
.. osdx:cfgcmd:: vpn ipsec logging log-types any log-level
.. raw:: html
Devices
:arg txt:
VPN Logger Verbosity Level
.. osdx:cfgcmd:: vpn ipsec logging log-types type
.. raw:: html
Devices
Apply to a specific log type. To see what each log type exactly does, please refer to the VPN documentation
:arg dmn:
Debug log option for VPN
:arg mgr:
Debug log option for VPN
:arg ike:
Debug log option for VPN
:arg chd:
Debug log option for VPN
:arg job:
Debug log option for VPN
:arg cfg:
Debug log option for VPN
:arg knl:
Debug log option for VPN
:arg net:
Debug log option for VPN
:arg asn:
Debug log option for VPN
:arg enc:
Debug log option for VPN
:arg lib:
Debug log option for VPN
:arg esp:
Debug log option for VPN
:arg tls:
Debug log option for VPN
:arg tnc:
Debug log option for VPN
:arg imc:
Debug log option for VPN
:arg imv:
Debug log option for VPN
:arg pts:
Debug log option for VPN
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec logging log-types type log-level
.. raw:: html
Devices
:arg id:
VPN Logger Verbosity Level
.. osdx:cfgcmd:: vpn ipsec pool
.. raw:: html
Devices
:arg id:
Name of Remote Address pool
:instances: Unique
.. osdx:cfgcmd:: vpn ipsec pool prefix
.. raw:: html
Devices
:arg ipv4net:
Remote IPv4 or IPv6 prefix
:arg ipv6net:
Remote IPv4 or IPv6 prefix
.. osdx:cfgcmd:: vpn ipsec pool range
.. raw:: html
Devices
Remote IPv4 or IPv6 range
.. osdx:cfgcmd:: vpn ipsec pool range first-address
.. raw:: html
Devices
:arg ipv4:
First IPv4 or IPv6 address of the pool range
:arg ipv6:
First IPv4 or IPv6 address of the pool range
.. osdx:cfgcmd:: vpn ipsec pool range last-address
.. raw:: html
Devices
:arg ipv4:
Last IPv4 or IPv6 address of the pool range
:arg ipv6:
Last IPv4 or IPv6 address of the pool range
.. osdx:cfgcmd:: vpn ipsec radius
.. raw:: html
Devices
IPSec RADIUS based authentication settings
:ref Required: system aaa list *
.. osdx:cfgcmd:: vpn ipsec radius accounting
.. raw:: html
Devices
Enable RADIUS accounting
.. osdx:cfgcmd:: vpn ipsec radius authentication-list
.. raw:: html
Devices
VPN type list to use when authenticating
Choose the VPN list that will be used when an external user
tries to authenticate. Lists can be set-up with "system aaa list" command
:ref Reference: system aaa list *
.. osdx:cfgcmd:: vpn ipsec radius dae
.. raw:: html
Devices
Dynamic Authorization Extension (DAE) options
:ref Required: vpn ipsec radius dae encrypted-secret *
.. osdx:cfgcmd:: vpn ipsec radius dae encrypted-secret
.. raw:: html
Devices
:arg password:
Encrypted secret
.. osdx:cfgcmd:: vpn ipsec radius dae listen-address
.. raw:: html
Devices
Listen address to listen to DAE messages
:arg ipv4:
IPv4 listen address
:arg ipv6:
IPv6 listen address
:Local IP address:
.. osdx:cfgcmd:: vpn ipsec radius dae port
.. raw:: html
Devices
Port to listen for requests
:arg u32:
Numeric IP port (1-65535)
.. osdx:cfgcmd:: vpn ipsec radius dae secret
.. raw:: html
Devices
:arg txt:
Shared secret used to verify/sign DAE messages
These characters are allowed to be used for setting the shared secret:
alphanumeric characters: a-z A-Z 0-9
special characters: - + & ! @ # $ %% ^ * ( ) , . : _
It is recommended to use single quotes (') for setting the shared-secret.
If special characters are being used, then single quotes are mandatory
.. osdx:cfgcmd:: vpn ipsec radius eap-start
.. raw:: html
Devices
Send "EAP-Start" instead of "EAP-Identity" to start RADIUS conversation
.. osdx:cfgcmd:: vpn ipsec site-to-site
.. raw:: html
Devices
Site to site VPN
.. osdx:cfgcmd:: vpn ipsec site-to-site peer
.. raw:: html
Devices
:arg id:
VPN peer
:instances: Multiple
:ref Required: vpn ipsec auth-profile *
:ref Required: vpn ipsec ike-group *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer auth-profile
.. raw:: html
Devices
IPSec Authentication Profile
:ref Reference: vpn ipsec auth-profile *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer connection-type
.. raw:: html
Devices
Connection type
:arg initiate:
This endpoint can initiate or respond to a connection
:arg respond:
This endpoint will only respond to a connection
:arg on-demand:
This endpoint will initiate a connection if matching traffic is detected
.. osdx:cfgcmd:: vpn ipsec site-to-site peer default-esp-group
.. raw:: html
Devices
Default ESP group name
:ref Reference: vpn ipsec esp-group *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer description
.. raw:: html
Devices
:arg txt:
VPN peer description
.. osdx:cfgcmd:: vpn ipsec site-to-site peer dhcp-interface
.. raw:: html
Devices
:arg ifc:
DHCP interface that supplies the local address to use for IKE communication
.. osdx:cfgcmd:: vpn ipsec site-to-site peer force-encapsulation
.. raw:: html
Devices
Force UDP Encapsulation for ESP Payloads
.. osdx:cfgcmd:: vpn ipsec site-to-site peer ike-group
.. raw:: html
Devices
Internet Key Exchange (IKE) group name
:ref Reference: vpn ipsec ike-group *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer install-vips
.. raw:: html
Devices
Pull virtual IP addresses from remote
:ref Required: vpn ipsec site-to-site peer * install-vips interface *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer install-vips address
.. raw:: html
Devices
:arg ipv4:
Request specific address(es)
If not set, 0.0.0.0 will be used (i.e., it will accept any virtual IP)
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec site-to-site peer install-vips interface
.. raw:: html
Devices
:arg ifc:
Interface where VIPs should be installed
.. osdx:cfgcmd:: vpn ipsec site-to-site peer local-address
.. raw:: html
Devices
Local address(es) to use for IKE communication
As initiator, the first non-range/non-subset is used to initiate the connection.
As the responder, the local destination address must match at least one of the
specified addresses, subnets or ranges. FQDNs are resolved each time a
configuration lookup is done. Finally, "magic" values can be placed
here (such as "%any").
:arg ipv4:
IPv4 address of a local interface for VPN
:arg ipv6:
IPv6 address of a local interface for VPN
:arg fqdn:
DNS domain name of the local interface
:arg %any:
Match any address specified as local interface
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec site-to-site peer local-vrf
.. raw:: html
Devices
Bind to local Virtual Routing and Forwarding domain name
:ref Reference: system vrf *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer pool